<![CDATA[localhost development cookie issue]]>I am developing a SPA with react. I am having an issue while developing locally, i.e. on my localhost, the app is talking to FusionAuth and a service that is performing PKCE which are running remotely. I am having issues with the cookies being set. The cookies that are returned from the backend have a domain which is not localhost so they are dropped after the authentication and redirect.

How do I develop locally with this set-up, redirect back to localhost after authentication and retain the cookies?

]]>https://fusionauth.io/community/forum/topic/2378/localhost-development-cookie-issueRSS for NodeThu, 16 Apr 2026 13:51:25 GMTThu, 27 Apr 2023 15:56:02 GMT60<![CDATA[Reply to localhost development cookie issue on Thu, 18 May 2023 00:51:52 GMT]]>@jacksontrevan Yes, this is unfortunately a limitation of cookies.

You could work around that by setting up a DNS alias to local.example.com (assuming FusionAuth is running remotely at auth.example.com).

You can usually set that up by googling for local host in /etc/hosts <platform> which turns up:

]]>https://fusionauth.io/community/forum/post/6151https://fusionauth.io/community/forum/post/6151Thu, 18 May 2023 00:51:52 GMT<![CDATA[Reply to localhost development cookie issue on Mon, 08 May 2023 13:20:13 GMT]]>@vinicius-campitelli The issue is with the our backend setting the final cookies, app.at, app.idt, app.at_exp in one domain after authentication, then having the application redirect back to localhost and retain the cookies. In other words I am trying to authenticate as a user and develop on localhost, however after authentication the cookies are no longer accessible when I redirect back to localhost.

]]>https://fusionauth.io/community/forum/post/6128https://fusionauth.io/community/forum/post/6128Mon, 08 May 2023 13:20:13 GMT<![CDATA[Reply to localhost development cookie issue on Wed, 03 May 2023 20:44:49 GMT]]>@jacksontrevan

Hi there!

Can you please elaborate?

In the Authorization Code grant flow with PKCE:

  1. Your backend generates a code challenge and a code verifier (which should be stored in your side, either in cookies or server session)
  2. Your application takes the user to FusionAuth's /oauth2/authorize endpoint with redirect_url, code_challenge and other parameters
  3. User logs in
  4. FusionAuth redirects the user back to the provided redirect_url (your backend) with an authorization code
  5. Your backend sends a request to FusionAuth's /oauth2/token endpoint with the received authorization code and the code verifier
  6. FusionAuth compare code verifier and challenge and returns an access token
  7. You can now use that access token to call your API or other resources

So which cookies are you trying to retrieve? In that flow, the backend would only need to store the code verifier in cookies during step 1.

]]>https://fusionauth.io/community/forum/post/6119https://fusionauth.io/community/forum/post/6119Wed, 03 May 2023 20:44:49 GMT